Closed Bug 1937080 Opened 11 months ago Closed 10 months ago

Mitigate breakage risks for parent-process script security

Tracking

()

Status:

RESOLVED FIXED

Milestone:

136 Branch

Tracking Flags:

Tracking

Status

firefox136

---

fixed

People

(Reporter: freddy, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(4 files)

Bug 1937080 - Make the <meta> CSP in browser.xhtml pref controllable. r?freddyb 10 months ago Tom Schuster (MoCo) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1937080 - Drive by cleanup: Don't pass the sample string to the GatherSecurityPolicyViolationEventData function. r?freddyb 10 months ago Tom Schuster (MoCo) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1937080 - Don't strip CSP report URIs when the mSelfURI is a chrome: URL. r?freddyb 10 months ago Tom Schuster (MoCo) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1937080 - Block inline event handlers in Nightly and collect telemetry. r?freddyb!,Gijs! 10 months ago Tom Schuster (MoCo) 48 bytes, text/x-phabricator-request		Details \| Review

Frederik Braun [:freddy]

Reporter

Description

•

11 months ago

We should build logging to get insights into what kind of event handlers are added in the real world (document, element, position, event handler attribute, script source, JavaScript stack trace...).

We should be able to disable the enforcement mechanism at runtime (pref? remote settings?)

Tom Schuster (MoCo)

Assignee

Comment 1

•

10 months ago

Attached file Bug 1937080 - Make the <meta> CSP in browser.xhtml pref controllable. r?freddyb — Details

Daniel Veditz [:dveditz] out until Nov 10

Updated

•

10 months ago

Whiteboard: [domsecurity-active]

Tom Schuster (MoCo)

Assignee

Updated

•

10 months ago

Comment 2

•

10 months ago

Attached file Bug 1937080 - Drive by cleanup: Don't pass the sample string to the GatherSecurityPolicyViolationEventData function. r?freddyb — Details

Tom Schuster (MoCo)

Assignee

Comment 3

•

10 months ago

Attached file Bug 1937080 - Don't strip CSP report URIs when the mSelfURI is a chrome: URL. r?freddyb — Details

Tom Schuster (MoCo)

Assignee

Comment 4

•

10 months ago

Attached file Bug 1937080 - Block inline event handlers in Nightly and collect telemetry. r?freddyb!,Gijs! — Details

Tom Schuster (MoCo)

Assignee

Comment 5

•

10 months ago

https://treeherder.mozilla.org/jobs?repo=try&revision=e8d0d912cdb830ae1698efc72c4734c5ee25b727

Phabricator Automation

Updated

•

10 months ago

Attachment #9445333 - Attachment description: WIP: Bug 1937080 - Drive by cleanup: Don't pass the sample string to the GatherSecurityPolicyViolationEventData function → Bug 1937080 - Drive by cleanup: Don't pass the sample string to the GatherSecurityPolicyViolationEventData function. r?freddyb

Phabricator Automation

Updated

•

10 months ago

Attachment #9445334 - Attachment description: WIP: Bug 1937080 - Don't strip CSP report URIs when the mSelfURI is chrome: → Bug 1937080 - Don't strip CSP report URIs when the mSelfURI is a chrome: URL. r?freddyb

Phabricator Automation

Updated

•

10 months ago

Attachment #9444714 - Attachment description: WIP: Bug 1937080 - Make the <meta> CSP in browser.xhtml pref controllable. → Bug 1937080 - Make the <meta> CSP in browser.xhtml pref controllable. r?freddyb

Phabricator Automation

Updated

•

10 months ago

Attachment #9445335 - Attachment description: WIP: Bug 1937080 - Block inline event handlers in Nightly and collect telemetry → Bug 1937080 - Block inline event handlers in Nightly and collect telemetry. r?freddyb!,Gijs!

Pulsebot

Comment 6

•

10 months ago

Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3fade7db9688 Drive by cleanup: Don't pass the sample string to the GatherSecurityPolicyViolationEventData function. r=freddyb https://hg.mozilla.org/integration/autoland/rev/c33b6add9eab Don't strip CSP report URIs when the mSelfURI is a chrome: URL. r=freddyb https://hg.mozilla.org/integration/autoland/rev/b835e8ac47e3 Make the <meta> CSP in browser.xhtml pref controllable. r=freddyb https://hg.mozilla.org/integration/autoland/rev/a20a4eb224da Block inline event handlers in Nightly and collect telemetry. r=freddyb,Gijs,saschanaz

amarc

Updated

•

10 months ago

Regressions: 1940393

amarc

Comment 7

•

10 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/3fade7db9688
https://hg.mozilla.org/mozilla-central/rev/c33b6add9eab
https://hg.mozilla.org/mozilla-central/rev/b835e8ac47e3
https://hg.mozilla.org/mozilla-central/rev/a20a4eb224da

Status: NEW → RESOLVED

Closed: 10 months ago

status-firefox136: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 136 Branch

Tom Schuster (MoCo)

Assignee

Updated

•

10 months ago

Blocks: 1940941

Tom Schuster (MoCo)

Assignee

Updated

•

9 months ago

Blocks: 1941322

Tom Schuster (MoCo)

Assignee

Updated

•

9 months ago

Blocks: 1942991

Tom Schuster (MoCo)

Assignee

Updated

•

9 months ago

Updated

•

8 months ago

Blocks: 1950047

Tom Schuster (MoCo)

Assignee

Updated

•

8 months ago

Blocks: 1953374

You need to log in before you can comment on or make changes to this bug.